{"id":51205418,"url":"https://github.com/argorixlabs/argorixlang","last_synced_at":"2026-06-28T03:01:31.791Z","repository":{"id":365616439,"uuid":"1272943066","full_name":"argorixlabs/argorixlang","owner":"argorixlabs","description":"Argorix Lang is a compiled language for secure, verifiable AI-agent communication.","archived":false,"fork":false,"pushed_at":"2026-06-26T05:16:54.000Z","size":765,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-26T06:14:52.745Z","etag":null,"topics":["agent-security","agentic-ai","ai-agents","ai-agents-framework","ai-safety","bytecode","compiler","deterministic-systems","prompt-injection","rust-lang","secure-communication","virtual-machine"],"latest_commit_sha":null,"homepage":"https://argorix-lang.org","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/argorixlabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-18T04:27:30.000Z","updated_at":"2026-06-26T05:16:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/argorixlabs/argorixlang","commit_stats":null,"previous_names":["argorixlabs/argorixlang"],"tags_count":28,"template":false,"template_full_name":null,"purl":"pkg:github/argorixlabs/argorixlang","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/argorixlabs%2Fargorixlang","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/argorixlabs%2Fargorixlang/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/argorixlabs%2Fargorixlang/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/argorixlabs%2Fargorixlang/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/argorixlabs","download_url":"https://codeload.github.com/argorixlabs/argorixlang/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/argorixlabs%2Fargorixlang/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34875362,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-28T02:00:05.809Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-security","agentic-ai","ai-agents","ai-agents-framework","ai-safety","bytecode","compiler","deterministic-systems","prompt-injection","rust-lang","secure-communication","virtual-machine"],"created_at":"2026-06-28T03:01:31.080Z","updated_at":"2026-06-28T03:01:31.782Z","avatar_url":"https://github.com/argorixlabs.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg width=\"520\" src=\"https://argorix-lang.org/assets/argorix-lockup.png\" alt=\"Argorix Lang\" /\u003e\n\n  \u003cbr /\u003e\n  \u003cbr /\u003e\n\n  \u003cstrong\u003eSecure. Verifiable. Programmable.\u003c/strong\u003e\n\n  \u003cbr /\u003e\n  \u003cbr /\u003e\n\n  \u003ca href=\"https://argorix-lang.org\"\u003eWebsite\u003c/a\u003e\n  ·\n  \u003ca href=\"https://github.com/argorixlabs/argorixlang\"\u003eRepository\u003c/a\u003e\n  ·\n  \u003ca href=\"#build-and-verify\"\u003eBuild\u003c/a\u003e\n  ·\n  \u003ca href=\"#roadmap\"\u003eRoadmap\u003c/a\u003e\n  ·\n  \u003ca href=\"./LICENSE\"\u003eApache-2.0\u003c/a\u003e\n\u003c/div\u003e\n\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n[![CI](https://github.com/argorixlabs/argorixlang/actions/workflows/ci.yml/badge.svg)](https://github.com/argorixlabs/argorixlang/actions/workflows/ci.yml)\n[![Security \u0026 licenses](https://github.com/argorixlabs/argorixlang/actions/workflows/security.yml/badge.svg)](https://github.com/argorixlabs/argorixlang/actions/workflows/security.yml)\n[![DCO](https://github.com/argorixlabs/argorixlang/actions/workflows/dco.yml/badge.svg)](https://github.com/argorixlabs/argorixlang/actions/workflows/dco.yml)\n[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196.svg)](https://conventionalcommits.org)\n\n\u003cdiv align=\"center\"\u003e\n\n\u003c!-- GitHub strips \u003ciframe\u003e, so this clickable thumbnail is the embed that renders on the repo page. --\u003e\n\u003ca href=\"https://www.youtube.com/watch?v=ZhQMps17CFo\"\u003e\n  \u003cimg width=\"560\" src=\"https://img.youtube.com/vi/ZhQMps17CFo/maxresdefault.jpg\" alt=\"Watch the Argorix Lang video\" /\u003e\n\u003c/a\u003e\n\n\u003c!-- Renders on sites that allow iframes (e.g. argorix-lang.org). --\u003e\n\u003ciframe width=\"560\" height=\"315\" src=\"https://www.youtube.com/embed/ZhQMps17CFo?si=6UW1u-i3evlLdN04\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen\u003e\u003c/iframe\u003e\n\n\u003c/div\u003e\n\n# Argorix Lang\n\n**Argorix Lang** is a compiled language for secure, verifiable communication between AI agents.\n\nIt is currently implemented in **Rust**, with a long-term path toward progressive self-hosting. The project explores language-level infrastructure for AI-agent systems where security, traceability, provider boundaries, and runtime evidence are part of the execution model rather than afterthoughts.\n\nArgorix Lang is early-stage infrastructure, but the direction is explicit:\n\n```text\nsource language\n  -\u003e parser\n  -\u003e semantic and security verification\n  -\u003e Argorix IR\n  -\u003e Argorix Bytecode\n  -\u003e Argorix VM\n  -\u003e deterministic scheduling\n  -\u003e controlled tool/model calls\n  -\u003e provider boundary validation\n  -\u003e global policy verification\n  -\u003e trace ledger\n```\n\n## Current status\n\n**Version:** `1.0`\n**Status:** Secure Multi-Agent Runtime MVP\n**License:** Apache-2.0  \n**Implementation:** Rust  \n**Execution modes:** `dry_run`, `simulated`, and governed `sandboxed_external`\n\nVersion 1.0 adds the Secure Multi-Agent Runtime MVP. Its governing rule is:\n\n```text\nRuntime may execute only what governance explicitly permits.\n```\n\nThe top-level `runtime_execution_profile` binds named agents and a provider to\nRuntime Hardening, a Threat Model, an ATrust Evidence Map, Governance Profile,\nexplicit allowed/denied actions, audit evidence, SecurityReport generation,\nand `fail_closed true`. The top-level `sandboxed_provider_adapter` binds that\nruntime to a bounded operation set and redacted endpoint/secret references.\n\nThe three modes have deliberately different behavior:\n\n- `dry_run` produces trace and evidence without provider execution.\n- `simulated` uses only the existing deterministic in-process `simulated`\n  provider.\n- `sandboxed_external` is blocked unless the adapter, operation, policy,\n  hardening, evidence, governance, audit, and fail-closed guards all validate\n  and the caller supplies `--sandboxed-external`.\n\nIn v1.0, the explicit flag creates an auditable external-call plan; core\nArgorix performs no HTTP request and ships no mandatory OpenAI SDK. An\nOpenAI-compatible adapter may declare references such as\n`env:OPENAI_BASE_URL` and `env:ARGORIX_PROVIDER_TOKEN`, but Argorix never reads or\nprints their values. Bytecode stores the reference names with\n`endpoint_value: null`, `secret_value: null`, and `redacted: true`.\n\n```powershell\nargorix-vm run examples/runtime_mvp_v100.argbc.json `\n  --runtime ChatbotRuntime `\n  --adapter OpenAISandbox `\n  --operation responses.create `\n  --sandboxed-external `\n  --json\n```\n\nThis is not a free runtime. External providers remain non-executable by\ndefault, network is never opened by default, tools and agents cannot execute\nfreely, and secret/key material is never embedded. MCP and A2A remain\ndeclarative bridge contracts. DID, VC, credential, handshake, signature, and\nblockchain verification remain outside the runtime. SecurityReport v1.0 and\nEvidenceBundle v1.0 record the profile, adapter, redaction, policy result, and\nblocked/planned execution events while offline verification retains v0.36 and\nolder compatibility.\n\nSee\n[`examples/runtime_mvp_v100.argx`](examples/runtime_mvp_v100.argx),\n[`examples/runtime_mvp_v100.argbc.json`](examples/runtime_mvp_v100.argbc.json),\n[`examples/runtime_mvp_project`](examples/runtime_mvp_project), and\n[`conformance/suite.v100.json`](conformance/suite.v100.json).\n\n## v0.36 specification freeze\n\nVersion 0.36 adds Spec Freeze + v1.0 Release Candidate metadata. A top-level\n`spec_freeze` pins the frozen feature surface, accumulated compatible versions,\nrequired conformance suites, evidence requirements, and closed runtime\nboundaries. A top-level `release_candidate` binds that freeze to required local\nartifacts, release checks, a compatibility matrix, and known limitations.\n\nSpec freeze does not mean production runtime. Release-candidate metadata does\nnot mean production, legal, compliance, regulator, or security certification.\nBoth declarations require `runtime_status disabled`, `network denied`,\n`external_execution disabled`, `provider_execution disabled`,\n`tool_execution disabled`, `agent_execution disabled`, `env_access denied`,\n`filesystem_access denied`, `secret_material denied`, `key_material denied`,\n`security_claims none`, `legal_claims none`, and `certification none`.\n\nThe freeze extends Runtime Hardening, Public Conformance, Governance Profiles,\nATrust Evidence Mapping, Trust Ledger, Policy v2, SecurityReport, and\nEvidenceBundle. It does not change their prior semantics. SecurityReport and\nEvidenceBundle advance to v0.36 while offline compatibility with v0.34 and\nv0.35 remains explicit.\n\n### v1.0 RC boundaries\n\nArgorix v1.0 RC is still declarative. Runtime execution remains disabled.\nExternal providers remain non-executable unless a future sandbox explicitly\nenables them; `simulated` remains the only executable provider today. OpenAI\nAPI keys and OpenAI API support are not part of core Argorix Lang. MCP/A2A\nremain bridge contracts, not live bridges. DID, VC, credential, and handshake\nverification remains non-real and declared-only. No network, environment,\nfilesystem, secret, key, signature, blockchain, regulator, or certification\ncapability is introduced by the release candidate.\n\nSee\n[`examples/spec_freeze_v036.argx`](examples/spec_freeze_v036.argx),\n[`examples/spec_freeze_v036.argbc.json`](examples/spec_freeze_v036.argbc.json),\nand [`examples/spec_freeze_project`](examples/spec_freeze_project).\n\nVersion 0.35 adds Runtime Hardening + Threat Model. A top-level\n`runtime_hardening_profile` binds deny-by-default enforcement, sandbox,\nnetwork, provider, tool, agent, filesystem, environment, secret, and key\nboundaries to the existing evidence, governance, and public-conformance\nartifacts. A top-level `threat_model` maps assets, threats, mitigations,\nresidual risk, and risk acceptance to that profile.\n\nBoth declarations are offline metadata. They do not enable a runtime, execute\nagents or tools, call providers, open network connections, read environment\nvariables, secrets, or keys, simulate attacks, execute exploits, verify a\nthird party, certify security, eliminate risk, or provide legal certification.\nTheir VM events and Policy v2 rules preserve those boundaries fail-closed.\nSecurityReport v0.35 summarizes hardening profiles and threat models;\nEvidenceBundle v0.35 covers the resulting bytecode, trace, report, and ledger\nwhile retaining verification compatibility with v0.33 and v0.34 artifacts.\n\nSee\n[`examples/runtime_hardening_v035.argx`](examples/runtime_hardening_v035.argx),\n[`examples/runtime_hardening_v035.argbc.json`](examples/runtime_hardening_v035.argbc.json),\nand\n[`examples/runtime_hardening_project`](examples/runtime_hardening_project).\n\nVersion 0.34 adds Third-Party Verification / Public Conformance. A top-level\n`third_party_verifier` declares reviewer identity metadata, organization,\njurisdiction, independence, bounded review scopes, and explicitly disallowed\nclaims. A top-level `public_conformance_report` binds that verifier to a local\nconformance suite, source and bytecode artifacts, ATrust Evidence Map,\nGovernance Profile, Regulatory Mapping, Trust Ledger, SecurityReport, trace,\nEvidenceBundle, review result, reproducibility mode, and individually mapped\nclaims.\n\nThe governing rule is: public conformance must be reproducible before it can be\ntrusted. These declarations are audit artifacts. A declared third-party\nverifier is not an externally authenticated legal auditor; a passed public\nconformance report is not regulator approval or legal certification; a mapped\nclaim is not legally certified; and reproducible artifacts are not\ncryptographic endorsement. Published metadata does not mean a remote audit\noccurred and a passed suite does not mean risk was eliminated.\n\nBoth declarations are fail-closed with `legal_claims none`, `certification\nnone`, `network denied`, `external_execution disabled`, `secret_material\ndenied`, `key_material denied`, `execution disabled`, and `security_claims\nnone`. Argorix performs no network calls, secret/key reads, external verifier\nexecution, signing, signature verification, DID/credential verification,\nremote attestation, regulator submission, or real MCP/A2A runtime.\n\nPolicy v2 evaluates verifier scope, artifact bindings, evidence/governance/\nregulatory relationships, reproducibility, and absent runtime/legal/security\nclaims offline. SecurityReport v0.34 summarizes both declaration families.\nEvidenceBundle v0.34 semantically covers the bytecode, trace, report, and\nledger. This extends Governance Profiles, Regulatory Mapping, ATrust Evidence\nMapping, Trust Ledger, and Policy v2 without converting any of them into legal\nor cryptographic proof.\n\nSee\n[`examples/public_conformance_v034.argx`](examples/public_conformance_v034.argx),\n[`examples/public_conformance_v034.argbc.json`](examples/public_conformance_v034.argbc.json),\nand\n[`examples/public_conformance_project`](examples/public_conformance_project)\nfor the single-file, bytecode, and package examples.\n\nVersion 0.33 adds Governance Profiles + Regulatory Mapping. A top-level\n`governance_profile` records scope, ownership, jurisdiction, framework,\nATrust Evidence Map and Trust Ledger bindings, policies, controls, risk level,\nreview status, and assurance. A top-level `regulatory_mapping` maps declared\nobligations to those controls and their evidence for audit review.\n\nGovernance must be declared before compliance can be assessed. These blocks are\nmetadata and audit aids: a governance profile is not a compliance\ncertification; a regulatory mapping is not legal advice; an obligation mapped\nis not an obligation legally satisfied; a control mapped is not an externally\naudited control; and a declared risk level does not mean risk was eliminated.\n\nBoth blocks remain fail-closed: `legal_claims none`, `certification none`,\n`network denied`, `external_execution disabled`, `secret_material denied`,\n`key_material denied`, `execution disabled`, and `security_claims none`.\nArgorix does not claim regulator approval or legal compliance. Policy v2\nevaluates structural governance bindings offline. SecurityReport v0.33\nsummarizes profiles, controls, mappings, obligations, and denied runtime\nboundaries. EvidenceBundle v0.33 covers the bytecode, trace, report, and ledger\ndigests without identity, credential, handshake, signature, blockchain,\nMCP/A2A, network, or legal verification.\n\nSee\n[`examples/governance_mapping_v033.argx`](examples/governance_mapping_v033.argx)\nfor the complete single-file example.\n\nVersion 0.32 adds ATrust Evidence Mapping: a top-level\n`atrust_evidence_map` block that links an agent passport, ATrust identity,\ncredential contract, handshake, trust ledger, MCP/A2A bridge contracts,\npolicies, SecurityReport, trace, and EvidenceBundle as declared evidence\nmetadata.\n\nThe core rule is: evidence must be mapped before trust can be evaluated. A map\ncan say an identity is declared, a credential is declared, a dry-run handshake is\ndeclared, a ledger contains the referenced event, bridge contracts are declared,\nand an evidence bundle covers those pieces. It never says identity verified,\ncredential verified, handshake executed or secure, MCP/A2A connected, signature\nverified, tamper-proof, blockchain verified, or post-quantum secure.\n\n`atrust_evidence_map` is locked to non-runtime boundaries: `mapping_mode\ndeclared_only` or `evidence_only`, `verification declared_only` or `disabled`,\n`resolution disabled`, `network denied`, `external_execution disabled`,\n`secret_material denied`, `key_material denied`, `execution disabled`, and\n`security_claims none`.\n\nSecurityReport v0.32 includes an `atrust_evidence_maps` summary with totals,\nnames, required coverage, non-verifying mode counts, denied network/execution\ncounts, `security_claims none`, and identity/credential/handshake/ledger/bridge\nlink totals. EvidenceBundle v0.32 covers the resulting bytecode, trace, report,\nand ledger digests. Policy v2 adds `atrust_evidence_map_*` rules for declared\nmaps, bound links, required coverage, disabled resolution/execution, denied\nnetwork/material, and absent security claims.\n\nVersion 0.31 adds MCP / A2A Bridge Contracts: two top-level blocks,\n`mcp_bridge_contract` and `a2a_bridge_contract`, that declare *how* an agent\ncould interoperate with external MCP tools/resources/prompts or with another\nagent over A2A. A bridge contract describes an allowed interoperability surface;\nit does **not** open network access, start an MCP server, send A2A messages,\nexecute tools or agents, read API keys, complete OAuth, resolve DIDs, or verify\ncredentials. **A bridge may be declared before it is connected** — a declared\nbridge is never a connected bridge. v0.31 only declares, validates, lowers to\nIR/bytecode, reports, and produces evidence for these contracts.\n\nVersion 0.30 added the Trust Ledger Hash Chain: a top-level `trust_ledger` block\nthat preserves an ordered, auditable hash chain linking earlier trust evidence\n(identities, credential contracts, handshakes) and the evidence bundle. It is an\naudit structure, not a blockchain and not a cryptographic trust guarantee — there\nis no consensus, mining, networking, signing, signature verification, key/secret\nhandling, or DID/credential verification. Trust evidence may be linked before it\nis trusted; no trust event becomes authority merely because it is chained.\n\nThis builds on the ATrust line: v0.26 ATrust Boundary Contracts, v0.27 ATrust\nIdentity Dry-Run, v0.28 ATrust Credential Contracts, and v0.29 ATrust Handshake\nDry-Run — each declarative, compilable, auditable metadata only. Earlier layers\nare all preserved: Crypto Primitive Registry and Crypto Boundary + Post-Quantum\nReadiness (v0.24–v0.25); the Adapter Framework and Declarative Adapter Profiles\n(v0.22–v0.23); Feature Flags + Secret Boundary (v0.21) and Sandboxed Provider\nHarness (v0.20) governance metadata; the Agent Passport / Sovereign Agent\nIdentity block (v0.19); and Typed Message Contracts, Policy Language v2, and the\nModule / Package System (v0.16–v0.18). No version reads environment variables,\nstores secret material, opens a vault, resolves a DID, or makes a network call.\n\n```text\nargorix.toml + src/*.argx\n  -\u003e module resolution (deterministic graph)\n  -\u003e whole-package semantic and security verification\n  -\u003e lexer / parser / AST\n  -\u003e Argorix IR 0.31 (with MCP/A2A bridge contracts, trust ledger, ATrust handshake/credential/identity/boundary, DID method, crypto, adapter, feature, secret, harness, passport, typed message, policy and module metadata)\n  -\u003e Argorix Bytecode 0.31 (with MCP/A2A bridge contracts, trust ledger, ATrust handshake/credential/identity/boundary, DID method, crypto, adapter, feature, secret, harness, passport, typed message, policy and module metadata)\n  -\u003e Argorix VM\n  -\u003e agent mailboxes\n  -\u003e deterministic scheduler\n  -\u003e reactive handlers\n  -\u003e agent state and causal guards\n  -\u003e controlled tool calls\n  -\u003e controlled model calls\n  -\u003e provider registry\n  -\u003e external adapter contract validation\n  -\u003e simulated provider boundary\n  -\u003e legacy assertion and Policy v2 verification\n  -\u003e declared failure modes\n  -\u003e trace ledger\n  -\u003e deterministic security report\n```\n\n\u003e The VM does not call LLMs, tools, MCP, A2A, networks, shells, or other external systems.  \n\u003e It validates bytecode and simulates protocol message flow only.\n\n## Why Argorix Lang?\n\nMost AI-agent systems today are built on fragile layers of prompts, wrappers, tools, provider-specific logic, and scattered runtime permissions.\n\nThat can work for prototypes.\n\nIt becomes harder to reason about when systems need:\n\n- security guarantees,\n- traceable execution,\n- auditable behavior,\n- provider boundaries,\n- controlled tool/model calls,\n- deterministic runtime state,\n- policy verification,\n- and evidence suitable for inspection.\n\nArgorix Lang explores a different path: **structured, auditable, programmable execution for AI-agent systems.**\n\n## Why Rust?\n\nArgorix Lang is implemented in Rust because infrastructure for AI safety should start from a secure systems foundation.\n\nRust provides:\n\n- memory safety,\n- strong typing,\n- predictable performance,\n- explicit control,\n- concurrency safety,\n- and a strong base for compiler, bytecode, and VM infrastructure.\n\nRust is not just an implementation choice for Argorix Lang.\n\nIt reflects the project’s design philosophy: secure infrastructure should be built on secure foundations.\n\n## Requirements\n\n- Stable Rust toolchain\n- Cargo\n\n## Build and verify\n\n```bash\ncargo fmt\ncargo test --workspace\ncargo clippy --workspace --all-targets -- -D warnings\n```\n\n## Compiler commands\n\n```bash\ncargo run -p argorixc -- check examples/prompt_defense_v02.argx\ncargo run -p argorixc -- emit-ir examples/prompt_defense_v02.argx\ncargo run -p argorixc -- graph examples/prompt_defense_v02.argx\ncargo run -p argorixc -- capabilities examples/prompt_defense_v02.argx\ncargo run -p argorixc -- emit-bytecode examples/prompt_defense_v02.argx\ncargo run -p argorixc -- verify-bytecode examples/prompt_defense_v02.argx\n```\n\nPackage commands (multi-file projects, v0.16):\n\n```bash\ncargo run -p argorixc -- check-package examples/module_project/argorix.toml\ncargo run -p argorixc -- emit-ir-package examples/module_project/argorix.toml\ncargo run -p argorixc -- emit-bytecode-package examples/module_project/argorix.toml\ncargo run -p argorixc -- graph-package examples/module_project\n```\n\nEach package command also accepts a directory and looks for `argorix.toml`.\n\nLatest provider allowlist example:\n\n```bash\ncargo run -p argorixc -- check examples/provider_allowlists_v012.argx\ncargo run -p argorixc -- emit-ir examples/provider_allowlists_v012.argx\ncargo run -p argorixc -- emit-bytecode examples/provider_allowlists_v012.argx\n```\n\n## VM commands\n\n```bash\ncargo run -p argorix-vm -- run examples/prompt_defense.argbc.json --dry-run\ncargo run -p argorix-vm -- run examples/prompt_defense.argbc.json --dry-run --json\ncargo run -p argorix-vm -- run examples/prompt_defense.argbc.json --dry-run --mailboxes\n```\n\nReactive execution example:\n\n```bash\ncargo run -p argorix-vm -- run examples/prompt_defense_v06.argbc.json \\\n  --dry-run \\\n  --reactive \\\n  --inject User:PromptScanner:tell:UserPrompt \\\n  --state\n```\n\nControlled tool-call example:\n\n```bash\ncargo run -p argorix-vm -- run examples/tool_call_v07.argbc.json \\\n  --dry-run \\\n  --reactive \\\n  --inject User:ResearchAgent:tell:UserPrompt \\\n  --state \\\n  --tools\n```\n\nControlled model-call example:\n\n```bash\ncargo run -p argorix-vm -- run examples/model_call_v08.argbc.json \\\n  --dry-run \\\n  --reactive \\\n  --inject User:ResearchAgent:tell:UserPrompt \\\n  --state \\\n  --tools \\\n  --models\n```\n\nProvider boundary example:\n\n```bash\ncargo run -p argorix-vm -- run examples/provider_boundary_v010.argbc.json \\\n  --dry-run \\\n  --reactive \\\n  --inject User:ResearchAgent:tell:UserPrompt \\\n  --state \\\n  --tools \\\n  --models \\\n  --policy \\\n  --providers\n```\n\nProvider contract allowlist example:\n\n```bash\ncargo run -p argorix-vm -- run examples/provider_allowlists_v012.argbc.json \\\n  --dry-run \\\n  --reactive \\\n  --inject User:ResearchAgent:tell:UserPrompt \\\n  --state \\\n  --tools \\\n  --models \\\n  --policy \\\n  --providers \\\n  --provider-contracts\ncargo run -p argorix-vm -- run examples/prompt_defense_v05.argbc.json --dry-run --reactive --inject User:PromptScanner:tell:UserPrompt\ncargo run -p argorix-vm -- run examples/prompt_defense_v05.argbc.json --dry-run --reactive --inject User:PromptScanner:tell:UserPrompt --json\ncargo run -p argorixc -- check examples/prompt_defense_v06.argx\ncargo run -p argorixc -- emit-ir examples/prompt_defense_v06.argx\ncargo run -p argorixc -- emit-bytecode examples/prompt_defense_v06.argx\ncargo run -p argorix-vm -- run examples/prompt_defense_v06.argbc.json --dry-run --reactive --inject User:PromptScanner:tell:UserPrompt --state\ncargo run -p argorixc -- check examples/tool_call_v07.argx\ncargo run -p argorixc -- emit-ir examples/tool_call_v07.argx\ncargo run -p argorixc -- emit-bytecode examples/tool_call_v07.argx\ncargo run -p argorix-vm -- run examples/tool_call_v07.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --state --tools\ncargo run -p argorixc -- check examples/model_call_v08.argx\ncargo run -p argorixc -- emit-ir examples/model_call_v08.argx\ncargo run -p argorixc -- emit-bytecode examples/model_call_v08.argx\ncargo run -p argorix-vm -- run examples/model_call_v08.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --state --tools --models\ncargo run -p argorixc -- check examples/policy_assertions_v09.argx\ncargo run -p argorixc -- emit-bytecode examples/policy_assertions_v09.argx\ncargo run -p argorix-vm -- run examples/policy_assertions_v09.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --policy\ncargo run -p argorixc -- check examples/provider_boundary_v010.argx\ncargo run -p argorixc -- emit-ir examples/provider_boundary_v010.argx\ncargo run -p argorixc -- emit-bytecode examples/provider_boundary_v010.argx\ncargo run -p argorix-vm -- run examples/provider_boundary_v010.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --state --tools --models --policy --providers\ncargo run -p argorixc -- check examples/provider_contracts_v011.argx\ncargo run -p argorixc -- emit-ir examples/provider_contracts_v011.argx\ncargo run -p argorixc -- emit-bytecode examples/provider_contracts_v011.argx\ncargo run -p argorix-vm -- run examples/provider_contracts_v011.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --state --tools --models --policy --providers --provider-contracts\ncargo run -p argorixc -- check examples/provider_allowlists_v012.argx\ncargo run -p argorixc -- emit-ir examples/provider_allowlists_v012.argx\ncargo run -p argorixc -- emit-bytecode examples/provider_allowlists_v012.argx\ncargo run -p argorix-vm -- run examples/provider_allowlists_v012.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --state --tools --models --policy --providers --provider-contracts\ncargo run -p argorixc -- emit-bytecode examples/provider_allowlists_v013.argx\ncargo run -p argorix-vm -- run examples/provider_allowlists_v013.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --security-report reports/provider-allowlists.security.json\ncargo run -p argorix-vm -- run examples/provider_allowlists_v013.argbc.json --dry-run --reactive --inject User:ResearchAgent:tell:UserPrompt --json --security-report reports/provider-allowlists.security.json\n```\n\n## Security report export v0.13\n\nReactive execution now uses `run_reactive_outcome()`, which always preserves the final `RuntimeState` and ordered trace ledger. `run_reactive()` remains a compatibility wrapper.\n\nUse `run --security-report \u003cpath\u003e` to write a pretty JSON evidence artifact. The CLI creates the required parent directory and writes the report before propagating a VM error. Failed executions therefore still exit nonzero, keep stderr diagnostics, and remain reportable. In `--json` mode stdout remains exactly the existing trace JSON; failed executions without a trace print no partial JSON.\n\nThe public `SecurityReport` includes execution, policy, provider-boundary, call, intrinsic, ledger, and verdict summaries. Counts come from actual runtime evidence. For the three-agent v0.13 fixture, the intrinsic summary is `facu_checkpoints: 3`, `marron_guards: 3`, and `intrinsic_events_total: 6`.\n\n`ledger_digest` is `sha256:` plus SHA-256 of compact JSON for the ordered ledger events. It supports deterministic integrity checks and reproducible audits. It is not a signature, uses no key, and does not prove real-world safety.\n\nVerdicts follow evidence: blocked external execution or runtime/provider-boundary failure is `high`; assertion or completed-runtime denial evidence is `medium`; completion without assertions is `informational`; completion with passing policy is `pass`.\n\n## Argorix Lang v0.14 Evidence Bundle + Offline Verification\n\nAn `EvidenceBundle` is a portable manifest connecting the semantic content of\nArgorix Bytecode, a `ReactiveExecutionTrace`, a `SecurityReport`, and its\nledger digest. It is generated locally and can be checked without network\naccess:\n\n```bash\ncargo run -p argorix-vm -- run examples/provider_allowlists_v014.argbc.json \\\n  --dry-run \\\n  --reactive \\\n  --inject User:ResearchAgent:tell:UserPrompt \\\n  --state \\\n  --tools \\\n  --models \\\n  --policy \\\n  --providers \\\n  --provider-contracts \\\n  --security-report reports/provider_allowlists_v014.security.json \\\n  --trace-out reports/provider_allowlists_v014.trace.json \\\n  --evidence-bundle reports/provider_allowlists_v014.bundle.json\n\ncargo run -p argorix-vm -- verify-evidence reports/provider_allowlists_v014.bundle.json\ncargo run -p argorix-vm -- verify-evidence reports/provider_allowlists_v014.bundle.json --json\n```\n\nArtifact paths are stored relative to the bundle directory with `/`\nseparators. Verification resolves them from that directory, so a complete\nportable tree can be moved and checked offline.\n\nDigests use `sha256:\u003chex\u003e` over compact serialization of deserialized Rust\ntypes. Formatting and whitespace changes do not alter semantic evidence;\ncontent changes do. These digests are not signatures, use no keys, provide no\nauthenticity claim, and do not prove real-world safety.\n\nFailed executions remain reportable. When execution fails before producing a\nreactive trace, the report and bundle are still written when possible,\n`trace_path` and `trace_digest` are `null`, and the process still exits\nnonzero.\n\nThe governing rules remain:\n\n```text\nAllowlisted does not mean executable.\nFailed executions must still be reportable.\nSecurity reports are evidence artifacts, not success receipts.\nEvidence must be exportable and independently checkable.\n```\n\n## Argorix Lang v0.15 Conformance Suite\n\nThe official Conformance Suite validates the Argorix stack directly through\nlibrary APIs:\n\n```text\nsource -\u003e parser -\u003e semantics -\u003e IR -\u003e Bytecode -\u003e verifier -\u003e VM\n       -\u003e SecurityReport -\u003e EvidenceBundle -\u003e offline verification\n```\n\nRun it in text or JSON mode:\n\n```bash\ncargo run -p argorix-conformance -- run conformance/suite.v015.json\ncargo run -p argorix-conformance -- run conformance/suite.v015.json --json\ncargo run -p argorix-conformance -- run conformance/suite.v015.json \\\n  --workdir target/custom-conformance\n```\n\nThe suite is local, deterministic, data-driven, and offline. It does not use\nnetwork access, secrets, environment variables, real tools, real models,\nOpenAI, Anthropic, MCP, A2A, or executable external providers. Passing the\nsuite demonstrates conformance with the declared Argorix behavior; it does not\nprove real-world security.\n\nEach case declares:\n\n```json\n{\n  \"id\": \"unknown-capability-rejected\",\n  \"name\": \"Unknown capability is rejected\",\n  \"category\": \"semantics\",\n  \"source_path\": \"sources/unknown_capability.argx\",\n  \"stages\": [\"parse\", \"semantic_check\"],\n  \"expected_failure_stage\": \"semantic_check\",\n  \"expected_failure_contains\": \"Unknown capability\"\n}\n```\n\n`stages` defines what executes. `expected_failure_stage` explicitly defines\nwhere a negative case must fail. The expected stage remains `failed`, later\nstages become `skipped`, and the case passes when the diagnostic matches.\n\nVM-dependent cases declare an explicit injection:\n\n```json\n\"injection\": \"User:ResearchAgent:tell:UserPrompt\"\n```\n\nEvidence-tampering cases use a declarative mutation applied only to the case\ncopy under the workdir:\n\n```json\n\"mutation\": {\n  \"before_stage\": \"verify_evidence\",\n  \"artifact\": \"security_report\",\n  \"json_pointer\": \"/module\",\n  \"value\": \"Tampered\"\n}\n```\n\nFixture paths resolve from the directory containing `suite.v015.json`, not\nfrom the shell working directory. Generated artifacts are isolated under\n`\u003cworkdir\u003e/\u003ccase-id\u003e/`. To add a case, add a portable fixture under\n`conformance/sources` or `conformance/bytecode`, then add a JSON case with a\ncategory, ordered stages, and any explicit injection, expected failure, or\nmutation.\n\nThe v0.15 principles are:\n\n```text\nA secure language must be independently testable.\nConformance must make expected failure explicit.\nConformance must not depend on fixture-specific inference.\nConformance cases must be data-driven, not runner-driven.\nConformance paths resolve from the suite, not from the shell.\n```\n\nSecurity reports are evidence artifacts, not success receipts. `Allowlisted does not mean executable`: `simulated` remains the only executable provider, and external allowlists remain future permissions only.\n\n## Argorix Lang v0.22 Adapter Framework + Adapter Conformance Suite\n\n**Principle:** Adapter conformance comes before adapter execution.\n\nv0.22 adds top-level `adapter` declarations. An adapter is declarative governance metadata that binds a provider contract, feature flag, secret boundary and harness. It records `kind`, `vendor`, `mode`, `execution disabled`, boundary restrictions (`network denied`, `secrets denied`, `filesystem none|read_only`), typed contracts and a `conformance` list.\n\nAdapters are **never executed** in v0.22. `simulated` remains the only executable provider. External providers remain non-executable. No network, env, secrets, or external SDKs are used.\n\nNew Policy v2 rules:\n`adapters_declared`, `adapters_execution_disabled`, `adapters_network_denied`, `adapters_secrets_denied`, `adapters_provider_harnessed`, `adapters_feature_gated`, `adapters_secret_boundaried`, `adapters_conformance_declared`, `adapters_evidence_required`.\n\nSecurityReport and EvidenceBundle include adapter summaries. Conformance Suite v0.22 validates the adapter framework.\n\nSee `examples/adapter_framework_v022.argx` and `examples/adapter_framework_project/`.\n\nAll prior v0.16–v0.21 features are preserved. Bytecode/EvidenceBundle 0.21 remain verifiable.\n\n## Argorix Lang v0.21 Feature Flags + Secret Boundary\n\nThe v0.21 principle is:\n\n\u003e Secrets must be declared before they can be accessed.\n\nExtended:\n\n\u003e No secret crosses a boundary without evidence.\n\nv0.21 adds two top-level declarations — `feature` and `secret` — that prepare\nArgorix for future real adapters **without executing any provider**. They declare\nand audit a frontier; they do not cross it. External providers remain\nnon-executable, `simulated` remains the only executable provider, and the VM\nstill makes no network calls, reads no environment variables, reads no API keys,\nand opens no vaults.\n\n### Feature flags\n\nA `feature` declares an experimental or future capability, typically tied to an\nexternal provider adapter:\n\n```argx\nfeature OpenAIAdapter {\n  provider OpenAI            // optional: links the feature to a declared provider\n  status experimental        // experimental | preview | stable | deprecated\n  default disabled           // disabled | enabled\n  requires approval          // required when status is experimental or preview\n  purpose \"future-openai-adapter\"\n}\n```\n\nRequired fields: `status`, `default`. Optional: `provider`, `requires approval`,\n`purpose`. Rules:\n\n- A feature linked to an **external** provider must declare `default disabled`.\n- A feature whose `status` is `experimental` or `preview` must declare\n  `requires approval`.\n- Unknown values fail in semantics; missing required fields fail as\n  `missing required field` (no silent defaults).\n\nA feature flag never enables real execution in v0.21. It is governance metadata.\n\n### Secret boundaries\n\nA `secret` declares the **boundary** of a future secret. It records the handle,\nscope, and denied access — never the secret value:\n\n```argx\nsecret OpenAISecret {\n  handle \"ARGORIX_PROVIDER_TOKEN\"     // expected future handle — metadata, not a value\n  provider OpenAI             // optional link to a declared provider\n  required_by OpenAIAdapter   // optional link to a declared feature\n  scope adapter               // provider | adapter | model | tool | runtime\n  access denied               // only `denied` is allowed in v0.21\n  source none                 // only `none` is allowed in v0.21\n}\n```\n\nRequired fields: `handle`, `scope`, `access`, `source`. Optional: `provider`,\n`required_by`.\n\n**Secret handle vs secret value.** The `handle` is the *name* of a secret that\n*would* be needed in the future (e.g. `ARGORIX_PROVIDER_TOKEN`). It is metadata. Argorix\nstores no secret material: the fields `value`, `secret_value`, `token`,\n`api_key_value`, `raw`, and `plaintext` are forbidden inside a `secret` and cause\na compile error. `access` may only be `denied` and `source` may only be `none` in\nv0.21 — `allowed`, `guarded`, `approved`, `env`, `vault`, `file`, and `remote`\nare intentionally not yet accepted.\n\n### Harness links\n\nA `harness` may optionally reference a declared feature and secret:\n\n```argx\nharness OpenAIHarness {\n  provider OpenAI\n  feature OpenAIAdapter\n  secret OpenAISecret\n  mode dry_run\n  network denied\n  secrets denied\n  filesystem none\n}\n```\n\nThe semantic checker enforces coherence: referenced feature/secret must be\ndeclared, and when providers are present on the harness, feature, and secret they\nmust agree; when a harness names both a feature and a secret whose `required_by`\nis set, they must match.\n\n### Policy v2 integration\n\nv0.21 adds eight Policy v2 rules, evaluated offline against declared metadata:\n\n- `feature_flags_declared` — at least one feature is declared.\n- `features_default_disabled` — every feature defaults to disabled.\n- `experimental_features_require_approval` — every experimental/preview feature\n  requires approval.\n- `secret_boundaries_declared` — at least one secret boundary is declared.\n- `secret_access_denied` — every secret denies access.\n- `secret_values_absent` — no secret declaration contains secret material\n  (always true by construction; the schema has no value field).\n- `external_provider_feature_gated` — every external provider is referenced by a\n  disabled, approval-gated feature.\n- `external_provider_secret_boundary_declared` — every external provider is\n  referenced by a `denied`/`none` secret boundary.\n\nAll earlier rules (provider harness, agent passport, provider boundary) are\npreserved.\n\n### SecurityReport and EvidenceBundle integration\n\nThe SecurityReport (now `0.21`) gains a `feature_flags` summary (totals, statuses,\ndefaults, approval count, linked providers) and a `secret_boundaries` summary\n(totals, scopes, access, sources, linked providers, `required_by`, and\n`values_present` which is always `false`). The handle is reported as metadata; no\nsecret value, environment-variable content, or real material ever appears. Having\na feature flag or secret boundary does **not** inflate the verdict — it only\nproves the frontier was declared, validated, and preserved as evidence.\n\nThe EvidenceBundle (now `0.21`) covers features and secrets through digests of the\nbytecode, trace, and security report. Offline verification still accepts bundles\nback to `0.14`, so older bundles continue to verify.\n\n### Hard boundary\n\nFeature flags do not enable real provider execution in v0.21. Secret boundaries\ndo not contain secret values. Argorix does not read environment variables, does\nnot read API keys, does not read vaults, and does not open network connections.\nExternal providers remain non-executable; `simulated` remains the only executable\nprovider. First the boundary is declared. Then, some day, it is crossed with\nevidence.\n\n## Argorix Lang v0.20 Sandboxed Provider Harness\n\nThe v0.20 principle is:\n\n\u003e Before execution comes containment.\n\nA provider contract declares what an external integration would be allowed to\ntarget. A provider harness separately declares how that provider must be\ncontained during offline preparation and audit:\n\n```argx\nharness OpenAIHarness {\n  provider OpenAI\n  mode dry_run\n  network denied\n  secrets denied\n  filesystem none\n  max_steps 10\n  timeout_ms 1000\n  input_contract UserPrompt\n  output_contract DraftAnswer\n  attestations [\"dry-run\", \"policy-check\", \"evidence-bundle\"]\n}\n```\n\nRequired fields are `provider`, `mode`, `network`, `secrets`, and `filesystem`.\nNo required field receives a silent default. Supported values are:\n\n- `mode dry_run` or `mode simulated`;\n- `network denied`;\n- `secrets denied`;\n- `filesystem none` or `filesystem read_only`.\n\n`max_steps` and `timeout_ms` are optional positive integers.\n`input_contract` and `output_contract` optionally reference declared message\ntypes. `attestations` may be absent or empty, but every supplied string must be\nnon-empty.\n\n### Provider contract, harness, and executable provider\n\n- A **provider contract** describes a disabled external boundary, future\n  allowlists, feature-flag requirement, and explicit approval requirement.\n- A **provider harness** is containment/governance metadata associated with a\n  declared provider contract.\n- The **simulated provider** is the only executable provider implementation.\n- An **external provider** remains non-executable even when a valid harness is\n  present.\n\nHarnesses are top-level IR and Bytecode 0.20 metadata. They do not emit\n`DeclareHarness`, `SandboxProvider`, or any other VM instruction.\n\n### Policy v2 integration\n\nThe following offline rules inspect verified Bytecode metadata:\n\n```txt\nprovider_harness_declared\nprovider_harness_sandboxed\nprovider_network_denied\nprovider_secrets_denied\nprovider_filesystem_restricted\nexternal_provider_harnessed\n```\n\nDimension-specific rules use universal evaluation. To require at least one\nharness, also require `provider_harness_declared`.\n\n### Trace, SecurityReport, and EvidenceBundle\n\nReactive traces preserve `provider_harnesses` and ledger events record\ndeclaration, validation, and structural sandbox acceptance. SecurityReport\n0.20 summarizes providers, modes, network/secrets/filesystem declarations,\ncontract references, and attestation totals. This is structural containment\nevidence; it is not proof of real-world sandbox security.\n\nEvidenceBundle 0.20 covers harness metadata through the existing canonical\ndigests of Bytecode, trace, SecurityReport, and trace ledger. Offline\nverification remains compatible with bundle version 0.19.\n\n### Hard boundary\n\nThe harness does not execute external providers. It does not call APIs, open\nnetwork connections, resolve DNS, read secrets, load API keys from environment\nvariables, create processes, or access files on behalf of a provider. Version\n0.20 adds no real OpenAI, Anthropic, MCP, A2A, or NANDA adapter.\n\nSee `examples/provider_harness_v020.argx` and\n`examples/provider_harness_project/`.\n\n## Argorix Lang v0.19 Agent Passport / Sovereign Agent Identity\n\nThe v0.19 principle is:\n\n```text\nAgents must carry sovereign identity before they can participate in an open agentic web.\n```\n\nAn **Agent Passport** is a top-level `passport` block that declares the sovereign\nidentity of an agent: who it is, where it is registered, what it is allowed to do,\nand what evidence backs it. It is the agent's portable, auditable identity card.\n\n```argx\npassport RiskAnalyzerPassport {\n  agent ResearchAgent\n  agent_name \"Risk Analyzer\"\n\n  // Global identity\n  global_id \"argx:agent:01HZX9RISKANALYZER\"\n  identity  \"did:argorix:risk-analyzer-v1\"\n  provider  \"Argorix\"\n  version   \"1.0.0\"\n\n  // Optional discovery name — no network resolution in v0.19\n  ans_name \"argx://riskAnalyzer.RiskAnalysis.Argorix.v1.sovereign\"\n\n  // Jurisdiction and sovereignty\n  country        \"CL\"\n  jurisdiction   \"CL\"\n  data_residency [\"CL\", \"EU\"]\n\n  // Network / infrastructure registration metadata\n  asn {\n    registry \"LACNIC\"\n    number   \"AS-PLACEHOLDER\"\n    holder   \"Argorix Labs\"\n    country  \"CL\"\n  }\n\n  // Model and risk metadata\n  model      \"frontier-compatible\"\n  risk_level \"high\"\n  data_scope [\"internal\", \"confidential\"]\n\n  // Intent / purpose\n  intent         \"risk_analysis\"\n  intended_use   [\"policy-review\", \"risk-assessment\"]\n  prohibited_use [\"external-execution\", \"credential-access\"]\n\n  // Verification and evidence\n  attestations [\"redteam\", \"policy-check\", \"evidence-bundle\"]\n}\n```\n\n### Field meaning\n\n- **`global_id`** — a stable, globally unique identifier for the agent (an opaque\n  string, e.g. `argx:agent:...`). It is not resolved against any registry.\n- **`identity`** — a DID-like identity string (e.g. `did:argorix:...`). v0.19 stores\n  it verbatim; it performs **no DID resolution**.\n- **`agent_name`** — a human-readable display name.\n- **`country` / `jurisdiction`** — the agent's legal sovereignty. `country` must use\n  a 2-letter ISO-like code; `jurisdiction` must be non-empty.\n- **`data_residency`** — the regions where the agent's data may reside (required,\n  non-empty).\n- **`asn`** — optional network registration metadata: `registry` (one of `LACNIC`,\n  `ARIN`, `RIPE`, `APNIC`, `AFRINIC`, `UNKNOWN`), `number` (an `AS`-prefixed value\n  or explicit placeholder), `holder`, and `country`. **No ASN lookup is performed.**\n- **`intent` / `intended_use` / `prohibited_use`** — the declared purpose, allowed\n  uses, and prohibited uses of the agent.\n- **`attestations`** — references to evidence/verifications associated with the agent.\n\n### `intent` vs `attestations`\n\nThese are different concepts and must not be conflated:\n\n```text\nintent         = the agent's declared purpose\nintended_use   = permitted or expected uses\nprohibited_use = forbidden uses\nattestations   = evidence/verifications (internal or external) attached to the agent\n```\n\n`attestations` are **evidence, not intention**. Writing\n`attestations [\"risk_analysis\"]` is syntactically allowed but semantically wrong —\n`risk_analysis` is an `intent`, not an attestation.\n\n### Passport vs provider contract vs policy vs evidence bundle\n\n- **Passport** — *who the agent is*: sovereign identity, jurisdiction, residency,\n  intent, attestations.\n- **Provider contract** — *what external providers may be reached* (still\n  non-executable; `simulated` remains the only executable provider).\n- **Policy** — *what runtime evidence must hold* (Policy v2 rules evaluated against\n  the trace).\n- **Evidence bundle** — *the signed digest chain* over Bytecode, Trace, and\n  SecurityReport that makes a run offline-verifiable.\n\n### Required vs optional fields\n\n```text\nrequired: agent, agent_name, global_id, identity, provider, version,\n          country, jurisdiction, data_residency, intent, risk_level\noptional: ans_name, asn, model, data_scope, intended_use, prohibited_use, attestations\n```\n\n### Policy v2 integration\n\nv0.19 adds four optional Policy v2 rules, evaluated offline against declared\npassport metadata:\n\n```text\nagent_passport_declared        — every agent has a declared passport\nagent_identity_declared        — every passport has a non-empty identity\nagent_data_residency_declared  — every passport has non-empty data residency\nagent_passport_attested        — every passport has at least one attestation\n```\n\n```argx\npolicy SovereignAgentPolicy {\n  require agent_passport_declared\n  require agent_identity_declared\n  require agent_data_residency_declared\n  require agent_passport_attested\n\n  on violation {\n    action review\n    trace required\n  }\n}\n```\n\n### SecurityReport and EvidenceBundle integration\n\nThe SecurityReport gains an `agent_passports` summary (totals, linked agents,\ncountries, jurisdictions, data residency, risk levels, attestation count, and\nintents). The EvidenceBundle covers passports through the existing digest chain\n(Bytecode, Trace, SecurityReport) — no new artifact is added.\n\n\u003e **Holding a passport does not prove real-world safety.** It improves\n\u003e traceability, declared identity, and structural evidence only. The security\n\u003e verdict is **not** inflated by the presence of a passport.\n\n### Limits (v0.19 does not)\n\n```text\n- no network calls, DNS resolution, or remote registry\n- no real DID verification\n- no real ASN verification\n- no country verification beyond a basic ISO-like format check\n- no certificates or secrets\n- external providers remain non-executable; simulated remains the only executable provider\n```\n\n```bash\ncargo run -p argorixc -- check examples/agent_passport_v019.argx\ncargo run -p argorixc -- emit-ir examples/agent_passport_v019.argx\ncargo run -p argorixc -- emit-bytecode examples/agent_passport_v019.argx\ncargo run -p argorixc -- check-package examples/agent_passport_project/argorix.toml\ncargo run -p argorix-conformance -- run conformance/suite.v019.json\n```\n\n## Argorix Lang v0.18 Typed Message Contracts\n\nThe v0.18 principle is:\n\n```text\nAgent communication must be typed before it can be trusted.\n```\n\n```argx\ntype ReviewResult {\n    approved: bool\n    score: int\n    explanation: string\n    confidence: float\n}\n```\n\n`type Message`, `type Message {}`, and typed contracts are valid. Fields are\nordered metadata preserved in IR, Bytecode, VM trace, SecurityReport, and the\nEvidenceBundle digest chain. Imported contracts participate in whole-package\nchecking.\n\nDeclared enum/type field references remain compatible as legacy nominal\ncontracts. Unknown references and duplicate fields fail semantic checking.\nSecurityReport records total, typed, untyped, and field counts without treating\nstructural typing as proof of real-world safety.\n\nv0.18 does not execute payload values and adds no arrays, maps, generics,\noptional fields, unions, nested literals, validation expressions, network\naccess, secrets, or real providers. `simulated` remains the only executable\nprovider.\n\n```bash\ncargo run -p argorixc -- check examples/typed_messages_v018.argx\ncargo run -p argorixc -- emit-bytecode examples/typed_messages_v018.argx\ncargo run -p argorixc -- check-package examples/typed_message_project/argorix.toml\ncargo run -p argorix-conformance -- run conformance/suite.v018.json\n```\n\n## Argorix Lang v0.17 Policy Language v2\n\nThe v0.17 principle is:\n\n```text\nSecurity policy must be declared as code, compiled as intent, and enforced as evidence.\n```\n\nLegacy assertions remain intact:\n\n```argx\nassert no_unhandled_messages\nassert all_tool_calls_traced\nassert runtime_status completed\n```\n\nNamed policies add explicit `require` and `deny` effects:\n\n```argx\npolicy ProviderSafety {\n    require provider_contracts_declared\n    require provider_allowlists_valid\n    deny external_execution\n\n    on violation {\n        action block\n        trace required\n    }\n}\n```\n\n`require X` passes only when the runtime evidence predicate for `X` is true.\n`deny X` passes only when that predicate is false. `runtime_status completed`\nis one rule.\n\nSupported rules are:\n\n```text\nno_unhandled_messages\nall_tool_calls_traced\nall_model_calls_traced\nall_intrinsics_traced\nall_provider_calls_traced\nhalt_requires_trace\nruntime_status completed\nprovider_contracts_declared\nprovider_allowlists_valid\nexternal_execution\nevidence_bundle_verified\nsecurity_report_generated\n```\n\nUnknown rules and actions are preserved by the parser for precise semantic\ndiagnostics. The semantic checker rejects duplicate policy names, duplicate\nrules, contradictory `require`/`deny` effects, invalid actions, and duplicates\nacross imported modules.\n\nViolation behavior:\n\n- `action block`: records evidence, preserves the ledger, writes requested\n  reports/bundles, and returns a nonzero VM/CLI result.\n- `action review`: runtime may complete; the report verdict is\n  `medium`/review required.\n- `action warn`: runtime may complete; the report verdict is `warning`.\n- no `on violation`: the policy is `violated` without activating a runtime\n  action.\n\nThe trace separates `legacy_assertions` from `policy_blocks`. Policy events are\nrecorded as `PolicyDeclared`, `PolicyEvaluated`, `PolicyViolation`, and\n`PolicyActionActivated`. SecurityReport 0.17 summarizes rules, violations and\nactions. EvidenceBundle 0.17 covers the resulting trace, report and ledger\nthrough the existing digest chain.\n\nPolicies can live in imported modules:\n\n```argx\nmodule main\nimport policies.default\n```\n\nOnly reachable imported policies enter the merged package. Duplicate names\nacross modules fail whole-package checking.\n\nTry the single-file and package examples:\n\n```bash\ncargo run -p argorixc -- check examples/policy_v017.argx\ncargo run -p argorixc -- emit-ir examples/policy_v017.argx\ncargo run -p argorixc -- emit-bytecode examples/policy_v017.argx\ncargo run -p argorixc -- check-package examples/policy_project/argorix.toml\n```\n\nRun and export evidence:\n\n```bash\ncargo run -p argorix-vm -- run examples/policy_v017.argbc.json \\\n  --dry-run \\\n  --reactive \\\n  --inject User:ResearchAgent:tell:UserPrompt \\\n  --policy \\\n  --security-report reports/policy_v017.security.json \\\n  --trace-out reports/policy_v017.trace.json \\\n  --evidence-bundle reports/policy_v017.bundle.json\n\ncargo run -p argorix-vm -- verify-evidence reports/policy_v017.bundle.json\ncargo run -p argorix-conformance -- run conformance/suite.v017.json\n```\n\nPolicy v2 does not execute external providers, open network connections, call\nOpenAI or Anthropic, connect MCP/A2A, read secrets, or replace evidence with a\ndeclaration. `simulated` remains the only executable provider.\n\n## Argorix Lang v0.16 Module / Package System\n\nVersion 0.16 lets a protocol grow from a single file into a structured,\nmulti-file project without making any dependency implicit.\n\n```text\nSecure agent protocols must be modular without becoming implicit.\n```\n\n### What is a module?\n\nA module is a single `.argx` file that declares exactly one `module` name. The\nname is a dotted identifier (`agents.research`) that must match the file's path\nrelative to `src/`:\n\n```text\nsrc/agents/research.argx   -\u003e   module agents.research\nsrc/policies/default.argx  -\u003e   module policies.default\nsrc/main.argx              -\u003e   module main      (or module app.main)\n```\n\nModule names match `[a-zA-Z_][a-zA-Z0-9_]*(.[a-zA-Z_][a-zA-Z0-9_]*)*`.\n\n### What is a local package?\n\nA package is a directory with an `argorix.toml` manifest and a `src/` tree:\n\n```toml\n[package]\nname = \"argorix-example\"\nversion = \"0.16.0\"\n\n[entry]\nmain = \"src/main.argx\"\n```\n\n`argorix.toml` is optional for compiling a single file, and required for\nmulti-file compilation by package root. `entry.main` names the entry file, and\nevery path is relative to the manifest directory. There are no absolute paths\nand no external dependencies.\n\n### Imports\n\nImports are declared at the top level, right after the `module` declaration:\n\n```argx\nmodule app.main\n\nimport agents.research\nimport agents.reviewer\nimport policies.default\nimport providers.contracts\nimport tools.search\n\nprotocol ProviderDefense {\n    User -\u003e ResearchAgent: tell UserPrompt\n    ResearchAgent -\u003e PolicyJudge: propose ToolResult\n    PolicyJudge -\u003e RuntimeGate: commit Decision\n}\n```\n\nEach `import agents.research` resolves deterministically to\n`src/agents/research.argx`. After resolution, the top-level declarations of\nevery reachable module (types, enums, agents, tools, models, providers,\npolicies, protocols) become globally visible. A protocol in one module may\nreference agents defined in imported modules, and an imported provider contract\nor policy applies to the whole package.\n\n### How imports resolve\n\nResolution starts from the entry module and walks imports into a deterministic\ngraph. The resolver rejects:\n\n- unknown imports (no matching file under `src/`),\n- cyclic imports,\n- duplicate modules,\n- a module whose declared name does not match its path,\n- files outside the project root,\n- duplicate global symbols across modules (no silent shadowing).\n\nDiagnostics never contain absolute paths and never depend on the current\nworking directory.\n\n### Compiling a single file\n\n```bash\ncargo run -p argorixc -- check examples/provider_allowlists_v016.argx\ncargo run -p argorixc -- emit-bytecode examples/provider_allowlists_v016.argx\n```\n\n### Compiling a package\n\n```bash\ncargo run -p argorixc -- check-package examples/module_project/argorix.toml\ncargo run -p argorixc -- emit-ir-package examples/module_project/argorix.toml\ncargo run -p argorixc -- emit-bytecode-package examples/module_project/argorix.toml\ncargo run -p argorixc -- graph-package examples/module_project\n```\n\n`emit-ir-package` and `emit-bytecode-package` attach module metadata:\n\n```json\n{\n  \"ir_version\": \"0.16\",\n  \"module\": \"app.main\",\n  \"modules\": [{ \"name\": \"agents.research\", \"path\": \"src/agents/research.argx\" }],\n  \"imports\": [{ \"from\": \"app.main\", \"to\": \"agents.research\" }]\n}\n```\n\nThe VM, security report, and evidence bundle preserve this module metadata when\nit is present, so multi-file evidence remains independently verifiable.\n\n### Viewing the module graph\n\n```text\napp.main\n├── agents.research\n├── agents.reviewer\n├── policies.default\n├── providers.contracts\n└── tools.search\n```\n\n### Why no remote package registry yet?\n\nv0.16 is deliberately offline. A remote registry, package downloads, external\ndependencies, and secrets are explicitly out of scope: a secure agent protocol\nmust remain independently auditable, and remote resolution would make\ndependencies implicit and unverifiable. The module system is the local,\ndeterministic foundation those features would later build on.\n\n### Security rules and limitations\n\n- No relative imports (`import ./agents/research`).\n- No import aliases (`import agents.research as research`).\n- No remote registry, package downloads, or external dependencies.\n- No absolute paths in manifests.\n- `simulated` remains the only executable provider; external providers stay\n  disabled and non-executable in multi-file projects exactly as in single-file\n  ones.\n\n```text\nSecure agent protocols must be modular without becoming implicit.\n```\n\n## Provider contract allowlists v0.12\n\nExternal provider contracts may declare future target and capability permissions:\n\n```argx\nprovider OpenAI {\n    kind external\n    enabled false\n    dry_run_only true\n    requires feature_flag\n    requires approval\n\n    allowed_targets { GuardModel }\n    allowed_capabilities { model.invoke }\n}\n```\n\nThe two optional blocks may appear in either order after the requirement clauses, at most once each.\n\nDuplicate blocks fail during parsing.\n\nDuplicate elements fail during semantic validation at the repeated element.\n\nTargets must resolve to a global tool or model. A name shared by a tool and model is an ambiguous allowlist target.\n\nCapabilities must exist globally. Every allowlisted target must match at least one listed capability when the capability list is populated.\n\nEmpty lists mean **zero future permissions**. They are never wildcards.\n\nContracts without blocks remain compatible with v0.11 source and lower to empty arrays.\n\n\u003e Allowlisted does not mean executable.\n\nTools and models still use only `simulated`. Attempts to execute an external contract remain fail-closed and emit:\n\n```text\nExternalProviderExecutionBlocked\n```\n\nUse `--provider-contracts` to print indented allowlists.\n\nEmpty lists are shown as `none`.\n\nJSON preserves list order in `provider_contracts`.\n\n## External adapter contracts v0.11\n\nModule-level provider declarations describe future external adapters without making them executable:\n\n```argx\nprovider OpenAI {\n    kind external\n    enabled false\n    dry_run_only true\n    requires feature_flag\n    requires approval\n}\n```\n\n`ProviderRegistry` keeps two separate maps:\n\n- executable providers,\n- declarative adapter contracts.\n\n`simulated` is registered by default as the only executable provider and must not be declared as a provider contract.\n\nExternal contracts never implement `Provider`.\n\nEvery external contract must be:\n\n- disabled,\n- dry-run-only,\n- feature-flag gated,\n- explicitly approved.\n\nTools and models still accept only `simulated`.\n\nAttempted external execution is blocked fail-closed and leaves the trace ledger available for inspection.\n\nIn IR and Bytecode v0.11, the top-level `providers` collection represents declarative provider contracts, not executable provider instances.\n\nExecutable providers are runtime registry entries and appear separately in VM output.\n\nBytecode loads contracts before scheduling and emits:\n\n- `ProviderContractDeclared`\n- `ProviderContractValidated`\n- `ProviderContractRejected`\n\nA blocked call emits:\n\n- `ExternalProviderExecutionBlocked`\n\nUse `--provider-contracts` for the separated textual report.\n\nReactive JSON always includes `provider_contracts`; `providers` contains only executable providers.\n\n## Provider boundary v0.10\n\nThe standalone `argorix_provider` crate defines:\n\n- synchronous provider contracts,\n- typed tool/model requests and responses,\n- provider errors,\n- provider registry.\n\n`ProviderRegistry::default()` registers only `simulated`.\n\nTools may omit their provider in source:\n\n```argx\ntool WebSearch {\n    capability web.search\n    input UserPrompt\n    output ToolResult\n}\n```\n\nThe AST preserves this omission as `None`.\n\nSemantic validation permits only `simulated`.\n\nIR resolves the omitted value to `simulated`.\n\nIR and Bytecode 0.10 therefore always carry an explicit provider for both tools and models.\n\nReactive calls follow:\n\n```text\nVM -\u003e ProviderRegistry -\u003e SimulatedProvider -\u003e response -\u003e trace ledger\n```\n\n`SimulatedProvider` accepts only `dry_run: true`, performs no network or external execution, and returns typed simulated responses.\n\nUnknown providers, provider errors, or invalid responses fail closed, preserve the runtime ledger, and activate an applicable failure mode.\n\nUse `--providers` to print registered providers and ordered calls.\n\nReactive JSON includes `providers` and `provider_calls`.\n\nAudit events include:\n\n- `ProviderRegistered`\n- `ProviderSelected`\n- `ProviderRequestCreated`\n- `ProviderResponseReceived`\n- `ProviderDryRunEnforced`\n- `ProviderBoundaryDenied`\n\n## Global policies and failure modes v0.9\n\nPolicies are module-level assertions verified after deterministic reactive execution:\n\n```argx\nassert no_unhandled_messages\nassert all_tool_calls_traced\nassert all_model_calls_traced\nassert all_intrinsics_traced\nassert halt_requires_trace\nassert runtime_status completed\n\nfailure PolicyViolation { action block trace required }\nfailure ToolDenied { action review trace required }\nfailure ModelDenied { action review trace required }\n```\n\nThe compiler rejects:\n\n- unknown assertions,\n- unsupported runtime status targets,\n- invalid failure actions,\n- duplicate failures,\n- failure declarations without `trace required`.\n\nFailure actions are limited to:\n\n- `block`\n- `review`\n- `halt`\n\nIR and Bytecode 0.9 preserve these declarations and emit:\n\n- `DeclareAssertion`\n- `DeclareFailure`\n- `VerifyAssertion`\n- `PolicyReport`\n\nThe VM evaluates every assertion against runtime state and the trace ledger, emits verification events, activates the declared failure mode on violation, and returns a structured `policy_report`.\n\nUse `--policy` for the text report or `--json` for the complete machine-readable report.\n\n## Simulated model adapter v0.8\n\nModels are module-level contracts with provider, capability, input, and output:\n\n```argx\nmodel GuardModel {\n    provider simulated\n    capability model.invoke\n    input ToolResult\n    output Decision\n}\n```\n\nAgents authorize models in `models` and invoke them with:\n\n```argx\nask ModelName with binding\n```\n\nOnly provider `simulated` is accepted.\n\nThe compiler checks:\n\n- model uniqueness,\n- provider,\n- capability,\n- type contracts,\n- agent authorization,\n- approval,\n- binding,\n- handler input compatibility.\n\nIR and Bytecode 0.8 add model registries plus:\n\n- `DeclareModel`\n- `AuthorizeModel`\n- `AskModel`\n\nThe VM creates a `ModelCallEnvelope`, checks authorization and capability again, and records requested, allowed/denied, and dry-run-result events.\n\nNo API, network, or real model is called.\n\n## Controlled tools v0.7\n\nTools are module-level contracts:\n\n```argx\ntool WebSearch {\n    capability web.search\n    input UserPrompt\n    output ToolResult\n}\n```\n\nAgents explicitly authorize tools and call them only from handlers:\n\n```argx\ntools { WebSearch }\n\non UserPrompt as prompt {\n    call WebSearch with prompt\n}\n```\n\nThe compiler verifies:\n\n- tool uniqueness,\n- capability contracts,\n- type contracts,\n- agent authorization,\n- required capability,\n- approval,\n- handler binding,\n- input message compatibility.\n\nIR 0.7 includes tools and call instructions.\n\nBytecode 0.7 lowers these contracts to:\n\n- `DeclareTool`\n- `AuthorizeTool`\n- `CallTool`\n\nThe VM never executes a real tool in v0.7.\n\nIt creates a `ToolCallEnvelope`, checks authorization and capability again, and records:\n\n- `ToolCallRequested`\n- `ToolCallAllowed`\n- `ToolCallDenied`\n- `ToolCallDryRunResult`\n\nThe `--tools` flag prints the resulting controlled call ledger.\n\n## Runtime intrinsics v0.6\n\nHandlers may invoke two built-in runtime operations:\n\n```argx\non Decision as decision {\n    marron(decision)\n    facu(decision)\n    trace decision\n    halt\n}\n```\n\n`facu(binding)` requires `state.write`.\n\nIt updates the agent's handled-message metadata and creates a deterministic checkpoint containing:\n\n- message ID,\n- message type,\n- binding,\n- checkpoint index.\n\n`marron(binding)` requires `runtime.guard`.\n\nIt verifies that the current envelope:\n\n- was delivered by the scheduler,\n- belongs to the active handler,\n- contains non-empty `id`,\n- contains non-empty `from`,\n- contains non-empty `to`,\n- contains non-empty `act`,\n- contains non-empty `message_type`.\n\nFailures transition the runtime to `failed` while retaining the trace ledger.\n\nOnly `facu` and `marron` are recognized.\n\nBoth must use the exact binding declared by the enclosing handler.\n\n## Reactive handlers v0.5\n\nAgents can react to received message types:\n\n```argx\nagent PromptScanner {\n    receives UserPrompt\n    sends Finding to PolicyJudge\n\n    on UserPrompt as prompt {\n        emit Finding to PolicyJudge\n    }\n}\n```\n\nHandlers support only:\n\n- `emit MessageType to AgentName`\n- `trace binding`\n- `halt`\n\nThe compiler verifies:\n\n- input types,\n- matching `receives` contracts,\n- matching `sends` contracts,\n- destinations,\n- trace bindings,\n- duplicate handlers,\n- `runtime.halt` capability,\n- approval policy.\n\nReactive execution requires an initial message in this format:\n\n```text\n--inject FROM:TO:ACT:MESSAGE_TYPE\n```\n\nPayloads are `{}` in v0.5.\n\nThe scheduler delivers the injected envelope, executes the matching handler, queues emitted messages, and repeats until `halt` or until no pending messages remain.\n\n## Bytecode\n\n`argorix_bytecode` lowers validated IR into JSON-serializable bytecode:\n\n```json\n{\n  \"bytecode_version\": \"0.12\",\n  \"language\": \"Argorix Lang\",\n  \"module\": \"Argorix.Security\",\n  \"providers\": [],\n  \"agents\": [],\n  \"capabilities\": [],\n  \"instructions\": [\n    {\n      \"op\": \"SendMessage\",\n      \"from\": \"PromptScanner\",\n      \"to\": \"PolicyJudge\",\n      \"act\": \"propose\",\n      \"message_type\": \"Finding\"\n    },\n    {\n      \"op\": \"End\"\n    }\n  ]\n}\n```\n\nThe instruction model supports:\n\n- `DeclareAgent`\n- `DeclareProviderContract`\n- `DeclareCapability`\n- `DeclareProtocol`\n- `DeclareHandler`\n- `EmitMessage`\n- `TraceValue`\n- `HandlerHalt`\n- `EndHandler`\n- `InvokeIntrinsic`\n- `DeclareTool`\n- `AuthorizeTool`\n- `CallTool`\n- `DeclareModel`\n- `AuthorizeModel`\n- `AskModel`\n- `DeclareAssertion`\n- `DeclareFailure`\n- `VerifyAssertion`\n- `PolicyReport`\n- `SendMessage`\n- `RequireCapability`\n- `RequireApproval`\n- `Trace`\n- `Halt`\n- `End`\n\nLowering emits declarations and security requirements before protocol message instructions.\n\n`Halt` is supported by the format and causes dry-run execution to stop with an error. The compiler does not emit it for a valid protocol merely because a capability happens to be named `runtime.halt`.\n\n## Bytecode verification\n\nThe verifier requires:\n\n- Bytecode version `0.17` for newly compiled programs. Versions `0.3`, `0.5`,\n  `0.6`, `0.7`, `0.8`, `0.9`, `0.10`, `0.11`, `0.12`, `0.13`, `0.14`, and `0.15`\n  remain accepted for compatibility. Module metadata (`modules`/`imports`)\n  requires version `0.16`.\n- At least one agent.\n- At least one protocol or `SendMessage`.\n- Complete, non-empty message fields.\n- Known or explicitly external senders and receivers.\n- Existing agents for approval and capability requirements.\n- A final `End` instruction.\n\nAllowed external entities remain:\n\n- `User`\n- `System`\n- `Runtime`\n- `Memory`\n- `Tool`\n\n## VM runtime\n\nThe VM verifies bytecode again before execution and initializes one FIFO mailbox for every internal agent.\n\nThe deterministic scheduler converts each `SendMessage` into a serializable message envelope:\n\n```json\n{\n  \"id\": \"msg_001\",\n  \"from\": \"User\",\n  \"to\": \"PromptScanner\",\n  \"act\": \"tell\",\n  \"message_type\": \"UserPrompt\",\n  \"payload\": {}\n}\n```\n\nEach internal message is scheduled, delivered to the receiver mailbox, and processed in bytecode order.\n\nExternal entities do not receive internal mailboxes.\n\nNo network calls, tools, LLMs, or concurrent tasks are executed.\n\nExample text output:\n\n```text\nArgorix VM v0.17\n\nLoaded bytecode: examples/prompt_defense.argbc.json\nExecution mode: dry-run\n\nStep 1: User --tell UserPrompt--\u003e PromptScanner\nStep 2: PromptScanner --propose Finding--\u003e PolicyJudge\nStep 3: PolicyJudge --commit Decision--\u003e RuntimeGate\n\nSecurity checks: passed\nTrace: generated\nStatus: completed\n```\n\nWith `--mailboxes`, the CLI shows initialization and the three scheduler phases for each message.\n\nWith `--json`, execution returns runtime state summaries and the complete ledger:\n\n```json\n{\n  \"vm_version\": \"0.12\",\n  \"status\": \"completed\",\n  \"mode\": \"reactive-dry-run\",\n  \"scheduler\": \"deterministic\",\n  \"steps\": [\n    {\n      \"index\": 1,\n      \"from\": \"User\",\n      \"to\": \"PromptScanner\",\n      \"act\": \"tell\",\n      \"message_type\": \"UserPrompt\",\n      \"status\": \"ok\"\n    }\n  ],\n  \"mailboxes\": [\n    {\n      \"agent\": \"PromptScanner\",\n      \"delivered\": 1,\n      \"processed\": 1\n    }\n  ],\n  \"events\": [],\n  \"security_checks\": \"passed\"\n}\n```\n\nRuntime status progresses through:\n\n- `initialized`\n- `running`\n- `completed`\n- `failed`\n\nReactive JSON uses `vm_version: \"0.17\"` and\n`mode: \"reactive-dry-run\"`. Each step records the agent, handled message,\nemitted messages, traced bindings, and whether the handler halted execution.\n\nThe public `RuntimeState` retains:\n\n- agents,\n- mailboxes,\n- pending messages,\n- completed-step count,\n- status,\n- `TraceLedger`.\n\nThe ledger records:\n\n- `VmStarted`\n- declarations,\n- message scheduling,\n- delivery,\n- processing,\n- `VmCompleted`\n- `VmFailed`\n\nBecause the scheduler mutates a caller-owned state, failure diagnostics do not discard the ledger.\n\nReactive JSON uses:\n\n```text\nvm_version: \"0.12\"\nmode: \"reactive-dry-run\"\n```\n\nEach step records:\n\n- agent,\n- handled message,\n- emitted messages,\n- traced bindings,\n- whether the handler halted execution.\n\nTool-aware JSON includes `tool_calls`, with:\n\n- agent,\n- tool,\n- capability,\n- authorization status,\n- dry-run mode.\n\nModel-aware JSON includes `model_calls`, with:\n\n- agent,\n- model,\n- simulated provider,\n- capability,\n- authorization status,\n- dry-run mode.\n\nPolicy-aware JSON includes:\n\n- `policy_report.status`,\n- one result per assertion,\n- activated failure modes.\n\nThe trace ledger also records assertion and failure declarations, assertion verification or failure, failure-mode activation, and policy-report generation.\n\n## Source security model\n\nArgorix v0.2 security remains enforced before bytecode generation:\n\n- Capabilities have `safe`, `restricted`, or `dangerous` levels.\n- Restricted and dangerous capabilities require `approval granted`.\n- Every used capability must exist in the module registry.\n- Protocol steps must match agent `sends` and `receives` contracts.\n\nRegistry-free v0.1 sources require explicit compatibility mode:\n\n```bash\ncargo run -p argorixc -- --legacy-capabilities check examples/prompt_defense.argx\n```\n\n## Workspace\n\n```text\ncrates/argorixc          Source compiler CLI\ncrates/argorix_parser    Lexer, parser, AST, spans, diagnostics\ncrates/argorix_semantics Source-level security and protocol verifier\ncrates/argorix_ir          Argorix IR 0.17 with policy and module metadata\ncrates/argorix_bytecode    IR lowering and Bytecode 0.3 through 0.17 verifier\ncrates/argorix_module      Manifest parsing and deterministic module resolution\ncrates/argorix_conformance Official direct-API Conformance Suite runner\ncrates/argorix_provider  Executable providers, adapter contracts, and registry\ncrates/argorix_vm        VM, preserved outcomes, ledger, security reports\ncrates/argorix-vm        Bytecode VM CLI\nexamples                 Source and bytecode fixtures\ntests                    End-to-end compiler tests\n```\n\n## Examples\n\n### Valid source and bytecode fixtures\n\n- `prompt_defense_v02.argx`: valid secure source program.\n- `prompt_defense_v05.argx`: valid reactive source program.\n- `prompt_defense_v05.argbc.json`: generated reactive Bytecode 0.5.\n- `prompt_defense_v06.argx`: reactive program with state and causal guards.\n- `prompt_defense_v06.argbc.json`: generated Bytecode 0.6 fixture.\n- `tool_call_v07.argx`: valid controlled-tool source program.\n- `tool_call_v07.argbc.json`: generated Bytecode 0.7 fixture.\n- `model_call_v08.argx`: valid simulated-model source program.\n- `model_call_v08.argbc.json`: generated Bytecode 0.8 fixture.\n- `policy_assertions_v09.argx`: valid global-policy source program.\n- `policy_assertions_v09.argbc.json`: generated Bytecode 0.9 fixture.\n- `provider_boundary_v010.argx`: valid provider-boundary source program.\n- `provider_boundary_v010.argbc.json`: generated Bytecode 0.10 fixture.\n- `provider_contracts_v011.argx`: valid disabled external adapter contract.\n- `provider_contracts_v011.argbc.json`: generated Bytecode 0.11 fixture.\n- `provider_allowlists_v012.argx`: valid model allowlist contract.\n- `provider_allowlists_v012.argbc.json`: generated Bytecode 0.12 model fixture.\n- `provider_allowlists_v013.argx`: v0.12-compatible allowlist source compiled by v0.13.\n- `provider_allowlists_v013.argbc.json`: generated Bytecode 0.13 security-report fixture.\n- `provider_allowlists_v014.argx`: Evidence Bundle and offline-verification source fixture.\n- `provider_allowlists_v014.argbc.json`: generated Bytecode 0.14 evidence fixture.\n- `provider_allowlists_v015.argx`: Conformance Suite release source fixture.\n- `provider_allowlists_v015.argbc.json`: generated Bytecode 0.15 fixture.\n- `provider_allowlists_v016.argx`: single-file v0.16 source fixture.\n- `provider_allowlists_v016.argbc.json`: generated Bytecode 0.16 fixture.\n- `module_project/`: multi-file v0.16 package (`argorix.toml` + `src/`).\n- `atrust_handshake_v029.argx`: valid v0.29 ATrust Handshake Dry-Run source program.\n- `atrust_handshake_v029.argbc.json`: generated Bytecode 0.29 handshake fixture.\n- `bridge_contracts_v031.argx`: valid v0.31 MCP / A2A Bridge Contracts source program.\n- `bridge_contracts_project/`: multi-file v0.31 package with imported `mcp_bridge_contract` and `a2a_bridge_contract` blocks.\n- `invalid_bridge_contracts/`: rejected bridge contract forms (open network, enabled execution, secret/key material, api_key auth, security claims, unbound references, duplicate names).\n- `trust_ledger_v030.argx`: valid v0.30 Trust Ledger Hash Chain source program.\n- `trust_ledger_v030.argbc.json`: generated Bytecode 0.30 trust ledger fixture.\n- `trust_ledger_project/`: multi-file v0.30 package with an imported `trust_ledger`.\n- `invalid_trust_ledgers/`: fixtures that must fail semantic checking.\n- `policy_v017.argx`: single-file Policy Language v2 source fixture.\n- `policy_v017.argbc.json`: generated Bytecode 0.17 policy fixture.\n- `policy_project/`: multi-file v0.17 package with an imported policy.\n- `invalid_policies/`: stable parser and semantic policy diagnostics.\n- `invalid_modules/`: package fixtures for each module-resolution failure.\n- `conformance/suite.v016.json`: official portable v0.16 suite.\n- `conformance/suite.v017.json`: official portable v0.17 Policy v2 suite.\n- `provider_allowlists_tools_v012.argx`: valid tool allowlist contract.\n- `provider_allowlists_tools_v012.argbc.json`: generated Bytecode 0.12 tool fixture.\n\n### Failure fixtures\n\n- `provider_allowlist_unknown_target.argx`: unknown target failure.\n- `provider_allowlist_unknown_capability.argx`: unknown capability failure.\n- `provider_allowlist_duplicate_target.argx`: duplicate target failure.\n- `provider_allowlist_duplicate_capability.argx`: duplicate capability failure.\n- `provider_allowlist_incompatible_capability.argx`: target/capability mismatch.\n- `provider_allowlist_external_execution_still_blocked.argx`: allowlisted external execution failure.\n- `provider_external_enabled.argx`: enabled external-contract failure.\n- `provider_external_missing_feature_flag.argx`: missing feature gate failure.\n- `provider_external_missing_approval.argx`: missing approval gate failure.\n- `provider_external_used_by_model.argx`: external model-provider failure.\n- `provider_external_used_by_tool.argx`: external tool-provider failure.\n- `tool_invalid_provider.argx`: unsupported tool provider failure.\n- `model_invalid_provider_v010.argx`: unsupported model provider failure.\n- `assert_unknown.argx`: unknown assertion failure.\n- `failure_invalid_action.argx`: unsupported failure action.\n- `failure_missing_trace.argx`: missing mandatory failure trace.\n- `invalid_bytecode_missing_end.argbc.json`: verifier failure fixture.\n- `restricted_without_approval.argx`: source approval failure.\n- `unknown_capability.argx`: undeclared capability failure.\n\n## Argorix Lang v0.31 MCP / A2A Bridge Contracts\n\nv0.31 adds two top-level declarations, `mcp_bridge_contract` and\n`a2a_bridge_contract`, that describe **allowed interoperability surfaces** for an\nagent. They declare *how* an agent could interoperate with external MCP servers\n(tools, resources, prompts) or with another agent over A2A — but declaring a\nbridge never connects it.\n\nGuiding principle: **a bridge may be declared before it is connected.** Extended:\n*bridge contracts describe allowed interoperability surfaces; they do not open\nnetwork access by themselves.*\n\n- **`mcp_bridge_contract`** binds an `agent`, its `passport`, its\n  `atrust_identity`, and an `atrust_boundary`, then declares the MCP `tools`,\n  `resources`, and `prompts` the agent could reach. `protocol` is always `mcp`;\n  `transport` is `declared_only` or `disabled`; `direction` is\n  `inbound`/`outbound`/`bidirectional`.\n- **`a2a_bridge_contract`** binds an `initiator` and `responder` (distinct\n  agents), their passports and identities, a prior `atrust_handshake`, the\n  `trust_ledger` that records that handshake, and an `atrust_boundary`, then\n  declares the `message_contracts` (declared message types) and `capabilities`\n  the bridge could exchange. `protocol` is always `a2a`.\n\nBoth blocks pin a closed security boundary that semantic analysis, the bytecode\nverifier, and Policy v2 all enforce:\n\n- `network denied` — no runtime network is opened.\n- `external_execution disabled`, `tool_execution disabled` (MCP),\n  `agent_execution disabled` (A2A) — nothing is executed.\n- `secret_material denied`, `key_material denied` — no secret or key material.\n- `authentication none | declared_only` — no API key, OAuth, or bearer token is\n  used.\n- `authorization policy_bound | declared_only`, `evidence required`,\n  `security_claims none`.\n\nA declared bridge makes **no** connectivity claim:\n\n- **MCP bridge declared ≠ MCP connected** — no MCP server exists and no tool runs.\n- **A2A bridge declared ≠ A2A messages sent** — no agent communication occurred\n  and no agent is executed.\n- `network denied` means there is no runtime network.\n- `authentication none`/`declared_only` means no API key, OAuth, or bearer token\n  was used.\n\nv0.31 explicitly **does not** add HTTP/websocket/SSE clients, a stdio or JSON-RPC\nMCP runtime, an A2A runtime, OpenAI/Anthropic/Google API calls, external tool or\nshell execution, environment-variable or secret/API-key reads, OAuth, wallets,\nreal DID resolution, real credential or handshake execution, signing, signature\nverification, encryption, blockchain, or consensus. There are **no** executable\nbridge instructions (`OpenMcpConnection`, `CallMcpTool`, `SendA2AMessage`,\n`ExecuteAgent`, `OpenNetwork`, `ReadApiKey`, …); bridge contracts are\nmetadata/evidence only. The simulated provider remains the only executable\nprovider.\n\nBridge contracts relate to the rest of the language as governance metadata:\n\n- relation with the **Agent Passport** (v0.19): a bridge binds the agent's\n  declared passport, and the passport must belong to that agent.\n- relation with **ATrust Identity** (v0.27): a bridge binds the agent's\n  `atrust_identity`, whose subject must be the agent and whose boundary must\n  match the bridge boundary.\n- relation with **ATrust Handshake** (v0.29): an A2A bridge references a prior\n  dry-run handshake that must bind its initiator and responder.\n- relation with the **Trust Ledger** (v0.30): the A2A bridge's `trust_ledger`\n  must include a `handshake` entry for the referenced handshake.\n- relation with the **Evidence Bundle** (v0.14): bridge metadata flows into the\n  SecurityReport and EvidenceBundle and verifies offline; bundles remain\n  compatible with 0.29 and 0.30.\n- relation with **Policy v2** (v0.17): the rules `mcp_bridge_contracts_declared`,\n  `a2a_bridge_handshakes_bound`, `a2a_bridge_trust_ledgers_bound`,\n  `mcp_bridge_network_denied`, `a2a_bridge_agent_execution_disabled`, and the\n  other `*_bridge_*` rules require the declared, closed-boundary surface.\n\nThe SecurityReport (v0.31) summarizes declared bridges under\n`mcp_bridge_contracts` and `a2a_bridge_contracts` (`total`, `names`, `protocols`,\n`directions`, `network.denied`, `external_execution.disabled`,\n`tool_execution.disabled` / `agent_execution.disabled`, `security_claims.none`).\nIt never emits `mcp_connected`, `a2a_connected`, `tool_verified`,\n`agent_verified`, or `secure_bridge`. **Bridge declared does not mean bridge\nconnected.**\n\n```argx\nmcp_bridge_contract ResearchMcpBridge {\n  agent ResearchAgent\n  passport ResearchPassport\n  identity ResearchIdentity\n  boundary AgentTrustBoundary\n\n  transport declared_only\n  protocol mcp\n  direction outbound\n\n  tools [\"search.read\", \"memory.read\"]\n  resources [\"docs.public\", \"kb.public\"]\n  prompts [\"research.summary\"]\n\n  network denied\n  external_execution disabled\n  tool_execution disabled\n  secret_material denied\n  key_material denied\n\n  authentication none\n  authorization policy_bound\n  evidence required\n  security_claims none\n\n  purpose [\"mcp\", \"bridge-contract\", \"dry-run\"]\n  notes \"metadata only; no MCP runtime\"\n}\n\na2a_bridge_contract ResearchA2ABridge {\n  initiator ResearchAgent\n  responder VerifierAgent\n\n  initiator_passport ResearchPassport\n  responder_passport VerifierPassport\n\n  initiator_identity ResearchIdentity\n  responder_identity VerifierIdentity\n\n  handshake ResearchHandshake\n  trust_ledger ATrustLedger\n  boundary AgentTrustBoundary\n\n  protocol a2a\n  transport declared_only\n  direction bidirectional\n\n  message_contracts [\"ResearchRequest\", \"ResearchResponse\"]\n  capabilities [\"ask.llm\", \"respond.safe\"]\n\n  network denied\n  external_execution disabled\n  agent_execution disabled\n  secret_material denied\n  key_material denied\n\n  authentication none\n  authorization policy_bound\n  evidence required\n  security_claims none\n\n  purpose [\"a2a\", \"bridge-contract\", \"dry-run\"]\n  notes \"metadata only; no A2A runtime\"\n}\n```\n\nSee `examples/bridge_contracts_v031.argx` (single file) and\n`examples/bridge_contracts_project/` (multi-file package) for complete programs,\nand `examples/invalid_bridge_contracts/` for the rejected forms.\n\n## Argorix Lang v0.30 Trust Ledger Hash Chain\n\nv0.30 adds a top-level `trust_ledger` declaration that preserves an ordered,\nauditable **hash chain** of trust evidence linking the earlier ATrust artifacts\n(identities, credential contracts, handshakes) and the evidence bundle.\n\nA `trust_ledger` is an **audit structure, not a blockchain and not a cryptographic\ntrust guarantee**. The guiding principle: *trust evidence may be linked before it\nis trusted — no trust event becomes authority merely because it is chained.*\n\n```argx\ntrust_ledger ATrustLedger {\n  scope local\n  mode dry_run\n  hash_algorithm sha256\n  chain_policy append_only\n\n  entries [\n    {\n      id \"entry-001\"\n      kind identity\n      subject ResearchIdentity\n      previous_hash \"GENESIS\"\n      entry_hash \"sha256:declared-entry-001\"\n      evidence_ref \"bundle:identity\"\n    },\n    {\n      id \"entry-002\"\n      kind handshake\n      subject ResearchHandshake\n      previous_hash \"sha256:declared-entry-001\"\n      entry_hash \"sha256:declared-entry-002\"\n      evidence_ref \"bundle:handshake\"\n    }\n  ]\n\n  chain_root \"sha256:declared-entry-002\"\n\n  network denied\n  key_material denied\n  secret_material denied\n  execution disabled\n  evidence required\n  security_claims none\n\n  purpose [\"trust-ledger\", \"evidence-chain\", \"dry-run\"]\n}\n```\n\n### Hash chain vs. blockchain vs. immutability\n\nA declared hash chain links entries by recording each entry's `previous_hash` and\n`entry_hash`, with `chain_root` pinned to the final entry. The compiler checks the\nlinking is consistent (`previous_hash` of the first entry is `GENESIS`, every later\nentry's `previous_hash` equals the prior `entry_hash`, and `chain_root` matches the\nlast `entry_hash`). That is **all** it does. v0.30 explicitly **does not**:\n\n- implement a blockchain, consensus, mining, staking, or peer-to-peer networking;\n- broadcast to a network or open any connection;\n- sign entries, verify signatures, generate keys, read keys, or read secrets;\n- resolve DIDs, verify credentials, verify presentations, or execute handshakes;\n- compute real cryptographic digests as a security guarantee.\n\nTherefore: **trust ledger declared does not mean immutable ledger; hash chain\ndeclared does not mean tamper-proof, blockchain, identity verified, credential\nverified, or handshake secure. `post_quantum_ready` does not mean\n`post_quantum_secure`.**\n\n### Fields and allowed values\n\n| field | allowed values |\n| --- | --- |\n| `scope` | `local`, `package`, `bundle` |\n| `mode` | `dry_run`, `declared_only` |\n| `hash_algorithm` | a declared `crypto` of kind `hash` that is not `denied` |\n| `chain_policy` | `append_only`, `declared_only` |\n| `network` | `denied` |\n| `key_material` / `secret_material` | `denied` |\n| `execution` | `disabled` |\n| `evidence` | `required` |\n| `security_claims` | `none` |\n\nEach entry requires `id`, `kind` (`identity`, `credential`, `handshake`, `evidence`,\n`policy`, or `custom`), `subject`, `previous_hash`, `entry_hash`, and `evidence_ref`.\nAn `identity`/`credential`/`handshake`/`policy` entry's `subject` must reference a\ndeclared artifact of that kind; `entry_hash` must use the `hash_algorithm` prefix\n(e.g. `sha256:`). `purpose` is a required, non-empty array of non-empty strings.\n\n### Policy v2, SecurityReport \u0026 EvidenceBundle\n\nv0.30 adds Policy v2 rules including `trust_ledgers_declared`,\n`trust_ledger_hash_algorithm_declared`, `trust_ledger_chain_valid`,\n`trust_ledger_entries_bound`, `trust_ledger_append_only`, the boundary rules\n(`trust_ledger_network_denied`, `…_key_material_denied`, `…_secret_material_denied`,\n`…_execution_disabled`, `…_evidence_required`), and the absence rules\n(`trust_ledger_security_claims_absent`, `trust_ledger_blockchain_absent`,\n`trust_ledger_signature_absent`). See\n[`examples/trust_ledger_v030.argx`](examples/trust_ledger_v030.argx).\n\nThe SecurityReport (v0.30) reports the count of declared ledgers under\n`trust_ledgers` and never emits any `immutable` / `tamper_proof` /\n`blockchain_verified` / `identity_verified` / `credential_verified` /\n`handshake_secure` / `post_quantum_secure` claim. The EvidenceBundle (v0.30)\ncovers the ledger metadata through the Bytecode, trace, report, and ledger\ndigests, and still verifies every bundle from `0.14` onward.\n\nVersions advance together to `0.30` (workspace, IR, Bytecode, VM trace,\nSecurityReport, EvidenceBundle, ConformanceSuite) while Bytecode `0.29` and\nEvidenceBundle `0.29` — and every earlier feature — remain fully supported.\n\n## Argorix Lang v0.29 ATrust Handshake Dry-Run\n\nv0.29 adds a top-level `atrust_handshake` declaration that lets a program declare\nand **simulate** an ATrust handshake flow between two agents. It is the natural\nsuccessor to the ATrust boundary (`v0.26`), identity dry-run (`v0.27`), and\ncredential contracts (`v0.28`).\n\nA handshake binds together everything that must exist *before* any trust exchange\ncould ever run:\n\n- an `initiator` agent and a distinct `responder` agent,\n- an `initiator_identity` and `responder_identity` (`atrust_identity` declarations\n  whose `subject` must match the corresponding agent),\n- one or more `credential_contracts` (`atrust_credential_contract` declarations,\n  each bound to a participant identity),\n- an `atrust_boundary` shared by both identities and all referenced credentials,\n- a `did_method` shared by both identities and all referenced credentials and\n  allowed by the boundary's `did_methods`.\n\n```argx\natrust_handshake ResearchHandshake {\n  initiator ResearchAgent\n  responder VerifierAgent\n\n  initiator_identity ResearchIdentity\n  responder_identity VerifierIdentity\n\n  credential_contracts [\"ResearchCredential\"]\n\n  boundary AgentTrustBoundary\n  method argorix\n\n  mode dry_run\n  direction mutual\n\n  challenge declared_only\n  response declared_only\n  transcript evidence_only\n\n  verification declared_only\n  resolution disabled\n  network denied\n\n  key_material denied\n  secret_material denied\n  execution disabled\n\n  evidence required\n  security_claims none\n\n  purpose [\"handshake\", \"identity-link\", \"credential-contract\", \"dry-run\"]\n  notes \"metadata only; no real handshake\"\n}\n```\n\n### What a handshake dry-run is — and is not\n\nA `dry_run` handshake is **evidence of a declared trust flow, not proof of secure\ncommunication**. The compiler validates the declared shape and bindings, lowers the\nmetadata into IR, Bytecode, the VM trace, the SecurityReport, and the EvidenceBundle,\nand stops there. v0.29 explicitly **does not**:\n\n- execute a real handshake, or emit any `RunHandshake`/`HandshakeInit`/`HandshakeAck`\n  instruction;\n- generate nonces or real challenges, sign challenges, or verify responses;\n- verify credentials, presentations, or real identities;\n- resolve DIDs, query ledgers, or open network connections;\n- sign, verify signatures, encrypt, decrypt, generate keys, read keys, or read secrets.\n\nTherefore: **handshake dry-run does not mean handshake executed, agents\nauthenticated, credential verified, or secure channel established. `post_quantum_ready`\ndoes not mean `post_quantum_secure`.**\n\n### Allowed field values\n\n| field | allowed values |\n| --- | --- |\n| `mode` | `dry_run` |\n| `direction` | `one_way`, `mutual` |\n| `challenge` | `declared_only`, `disabled` |\n| `response` | `declared_only`, `disabled` |\n| `transcript` | `metadata_only`, `evidence_only` |\n| `verification` | `declared_only`, `disabled` |\n| `resolution` | `disabled`, `embedded`, `local` |\n| `network` | `denied` |\n| `key_material` / `secret_material` | `denied` |\n| `execution` | `disabled` |\n| `evidence` | `required` |\n| `security_claims` | `none` |\n\n`purpose` is a required, non-empty array of non-empty strings; `notes` is optional\nbut, when present, must be non-empty.\n\n### Policy v2 integration\n\nv0.29 adds named handshake rules to Policy Language v2, e.g.\n`atrust_handshake_declared`, `atrust_handshake_mode_dry_run`,\n`atrust_handshake_challenge_declared_only`, `atrust_handshake_network_denied`,\n`atrust_handshake_execution_disabled`, `atrust_handshake_evidence_required`, and\n`atrust_handshake_security_claims_absent` (see\n[`examples/atrust_handshake_v029.argx`](examples/atrust_handshake_v029.argx) for the\nfull set).\n\n### SecurityReport \u0026 EvidenceBundle\n\nThe SecurityReport (v0.29) reports the number of declared handshakes under\n`atrust_handshakes` and never emits any `handshake_secure` / `identity_verified` /\n`credential_verified` / `presentation_verified` / `post_quantum_secure` claim. The\nEvidenceBundle (v0.29) covers the handshake metadata through the Bytecode, trace,\nreport, and ledger digests, while still verifying every bundle from `0.14` onward.\n\nVersions advance together to `0.29` (workspace, IR, Bytecode, VM trace,\nSecurityReport, EvidenceBundle, ConformanceSuite) while Bytecode `0.28` and\nEvidenceBundle `0.28` — and every earlier feature — remain fully supported.\n\n## Roadmap\n\n1. `v0.1` — compiled structure.\n2. `v0.2` — compiled security.\n3. `v0.3` — compiled execution through bytecode and dry-run VM.\n4. `v0.4` — agent mailboxes, deterministic scheduling, runtime state, trace ledger.\n5. `v0.5` — declarative handlers and reactive dry-run execution.\n6. `v0.6` — controlled agent state, deterministic checkpoints, causal guards.\n7. `v0.7` — declared, authorized, capability-controlled tool calls.\n8. `v0.8` — declared, authorized, simulated model invocation.\n9. `v0.9` — compiled global policies, failure modes, and runtime reports.\n10. `v0.10` — audited provider boundary and simulated provider registry.\n11. `v0.11` — disabled external adapter contracts and conformance checks.\n12. `v0.12` — declarative provider target/capability allowlists.\n13. `v0.13` — preserved execution outcomes and deterministic security reports.\n14. `v0.14` — portable Evidence Bundles and offline semantic verification.\n15. `v0.15` — official portable, data-driven Conformance Suite.\n16. `v0.16` — local Module / Package System with deterministic resolution.\n17. `v0.17` — Policy Language v2 with named require/deny rules and evidence-backed actions.\n17. `v0.17+` — sandboxed provider work.\n18. `v0.26` — ATrust Boundary Contracts.\n19. `v0.27` — ATrust Identity Dry-Run.\n20. `v0.28` — ATrust Credential Contracts.\n21. `v0.29` — ATrust Handshake Dry-Run (declared, simulated trust flow; no real crypto/network).\n22. `v0.30` — Trust Ledger Hash Chain (declared, auditable evidence chain; no blockchain/consensus/signing).\n23. Optional WASM/native backends.\n24. Progressive self-hosting in Argorix Lang.\n\n## Security posture\n\nArgorix Lang is designed to fail closed.\n\nCurrent versions do not execute real tools, real models, network calls, MCP/A2A calls, shells, or external provider systems.\n\nThe VM validates bytecode, simulates protocol message flow, records runtime evidence, and preserves the trace ledger for inspection.\n\nExternal provider contracts are declarative only until sandboxed provider work is introduced in later versions.\n\n## Project philosophy\n\nSecure AI-agent systems should be:\n\n- explicit,\n- inspectable,\n- testable,\n- traceable,\n- policy-aware,\n- governed at the runtime boundary.\n\nArgorix Lang is an open-source exploration of that direction.\n\n\u003e Rust is the forge. Argorix Lang is the sword.\n\n## Demo1\n\nA chatbot governed by Argorix Lang v1.0 — contracts, policy, evidence and\nfail-closed enforcement (including input-boundary prompt-injection / secret\nexfiltration blocking). Source: [`demo/argorix-chatbot-runtime/`](demo/argorix-chatbot-runtime/).\n\n\u003cvideo src=\"https://github.com/argorixlabs/argorixlang/raw/main/videodemo/Demo1.mp4\" controls width=\"720\"\u003e\u003c/video\u003e\n\n▶️ If the player does not load above, [watch Demo1 directly](videodemo/Demo1.mp4).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fargorixlabs%2Fargorixlang","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fargorixlabs%2Fargorixlang","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fargorixlabs%2Fargorixlang/lists"}